SECURING YOUR DATA


Additional privileges in the access control list
A person with Manager access to a database can select an access level for each person, group, and server and can then enhance or restrict this level as needed by selecting or deselecting the additional privileges within the access level.

Depending on the access level, some of the following optional privileges are available for you to select or deselect when giving a user access to your database.


Optional access control list privileges
Optional privilegeWhen to select/deselect it
Create documentsSelect this option for all users with Author access.

Deselect this option to prevent Authors from adding any more documents. They can continue to read and edit documents they've already created.

Delete documentsDeselect this option if you don't want a user to delete documents, no matter what the access level. Authors can delete only documents they create. If the document contains an Authors field, Authors can delete documents only if their name, a group, or a role that contains their name appears in the Authors field.
Create private agentsA user can run agents that perform tasks allowed by the user's assigned access level in the ACL only. Private agents on server databases take up disk space and processing time on the server, so you may want to deselect this option to prevent users from creating private agents.

Note: Whether or not a user can run agents depends on the access set by the DominoR administrator in the Agents Restrictions section of the Server document in the Domino Directory. If you select "Create LotusScript/Java agents" for a name in the ACL, the Server document controls whether or not the user can run the agent on the server.

Create personal folders/viewsPersonal folders and views created on a server are more secure than those created locally, and they are available on multiple servers. Administrative agents can operate only on folders and views stored on a server.

Note: Preventing users from creating folders and views on a server saves disk space on the server. They can still create folders and views locally.

Create shared folders/viewsDeselect this option to maintain tighter control over database design. Otherwise, a user assigned this privilege can create folders and views that are visible to others.

Note: Users who have this privilege can modify or delete any shared folder, view, or navigator in the database, regardless of whether they created it. Use caution when granting this privilege.

Create LotusScript/Java agentsLotusScriptR and Java™ agents on server databases can take up significant server processing time, so you may want to restrict which users can run them.

Note: Whether or not a user can run agents depends on the access set by the Domino administrator in the Agents Restrictions section of the Server document in the Domino Directory. If you select "Create LotusScript/Java agents" for a name in the ACL, the Server document controls whether or not the user can run the agent on the server.

Read public documentsSelect this option to allow users to read documents or see views and folders designated as "Available to Public Access users," an option in the Security tab of the Forms, Views, and Folders Properties dialog boxes. This option lets you give users with No Access or Depositor access the ability to view specific documents, forms, views, and folders without giving them Reader access. In addition, documents that you want available to public access users must contain a field called $PublicAccess. The $PublicAccess field should be a text field, and its value should be equal to one.

For information about how this privilege applies to mail templates and for information on creating forms, views, and agents, see LotusR Domino Designer 8 Help.

Write public documentsSelect this option to allow users to create and modify documents with forms designated as "Available to Public Access users" in the Security tab of the Form Properties dialog box. This option lets you give users create and edit access to specific documents without giving them Author access, or an equivalent role, and gives users access to create documents from any form in a database.
Replicate or copy documentsSelect this privilege to allowe users to:
    • replicate or copy the database, or documents from the database, locally or to the clipboard.
    • copy, print, or forward documents from the database, or parts of these documents;
    • select all text in a document opened in read mode.
Note: Deselecting this option is not a true security measure because users can still print using Ctrl+Print Screen or they can open a document and copy data to the clipboard.

You can select this privilege for all access levels; for users with access levels of Depositor and No Access, you can only enable this if "Read public document" has also been granted.

Related topics
The Access Control List
Access levels for a database
To add a user to the access control list and set the access level